Which processes are legitimate?

Which processes are legitimate?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Which processes are legitimate? SANTANDER 06-25-2008
Posted by SANTANDER on June 25, 2008, 5:09 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Win XP home, NOD32 3.0.650.0 antivirus. I got infected with Win32/Alman.NAB
virus. My antivirus show some executable files where infected, aalso when
browse web with Internet Explorer, windows periodically popup error mesages
called RUNDLL:
"Error loading C:\Windows\AppPatch\Jview.dll
The specified module could not be found."
(I use Firefox by default).

After running whole computer scan, NOD32 isolated the infected files in a
Quarantine folder. I removed the Jview.dll
As far I know, Win32/Alman.NAD is infector, downloader and it has got his
own driver. If it sit inside some legit process (IE), then it will add new
registry key again. Then removing will be harder.
Then I run HijackThis utility, and got the following report, I looked
through the logfile, but I'm not sure which processess and keys are
legitimate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:03:59, on 2008.06.25.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 89.251.147.134:6328
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper -
- C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - -
C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32
Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetMeter] C:\Program
Files\HooTech\NetMeter\HooNetMeter.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User
'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default
user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program
Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
- C:\Program
Files\Messenger\msmsgs.exe
O21 - SSODL: JavaView - -
C:\WINDOWS\AppPatch\Jview.dll (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program
Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32
Antivirus\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3672 bytes
------------------------------------

In addition, I run DOS utility showing drivers in my system:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User> drivers
Drivers - DiamondCS Freeware Console Tools (www.diamondcs.com.au)
---
ADDRESS: IMAGE PATH:
804D7000: \WINDOWS\system32\ntoskrnl.exe
806EC000: \WINDOWS\system32\hal.dll
F7AD6000: \WINDOWS\system32\KDCOM.DLL
F79E6000: \WINDOWS\system32\BOOTVID.dll
F7587000: ACPI.sys
F7AD8000: \WINDOWS\System32\DRIVERS\WMILIB.SYS
F7576000: pci.sys
F75D6000: isapnp.sys
F7B9E000: pciide.sys
F7856000: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
F7ADA000: intelide.sys
F75E6000: MountMgr.sys
F7557000: ftdisk.sys
F785E000: PartMgr.sys
F75F6000: VolSnap.sys
F753F000: atapi.sys
F7606000: disk.sys
F7616000: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
F751F000: fltmgr.sys
F750D000: sr.sys
F74F6000: KSecDD.sys
F7469000: Ntfs.sys
F743C000: NDIS.sys
F7421000: Mup.sys
F6BE3000: \SystemRoot\System32\DRIVERS\intelppm.sys
F6BAC000: \SystemRoot\System32\DRIVERS\ialmnt5.sys
F6B98000: \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
F7926000: \SystemRoot\System32\DRIVERS\usbuhci.sys
F6B75000: \SystemRoot\System32\DRIVERS\USBPORT.SYS
F792E000: \SystemRoot\System32\DRIVERS\usbehci.sys
F7936000: \SystemRoot\System32\DRIVERS\RTL8139.SYS
F6BD3000: \SystemRoot\System32\DRIVERS\i8042prt.sys
F793E000: \SystemRoot\System32\DRIVERS\mouclass.sys
F7946000: \SystemRoot\System32\DRIVERS\kbdclass.sys
F6BC3000: \SystemRoot\System32\DRIVERS\imapi.sys
F7646000: \SystemRoot\System32\DRIVERS\cdrom.sys
F7656000: \SystemRoot\System32\DRIVERS\redbook.sys
F6B52000: \SystemRoot\System32\DRIVERS\ks.sys
F6A8B000: \SystemRoot\system32\drivers\cmuda.sys
F6A67000: \SystemRoot\system32\drivers\portcls.sys
F7666000: \SystemRoot\system32\drivers\drmk.sys
F794E000: \SystemRoot\System32\DRIVERS\fdc.sys
F7676000: \SystemRoot\System32\DRIVERS\serial.sys
F7AAE000: \SystemRoot\System32\DRIVERS\serenum.sys
F7956000: \SystemRoot\System32\DRIVERS\irsir.sys
F7AB2000: \SystemRoot\System32\DRIVERS\irenum.sys
F6A53000: \SystemRoot\System32\DRIVERS\parport.sys
F7ABA000: \SystemRoot\System32\DRIVERS\gameenum.sys
F7C58000: \SystemRoot\system32\drivers\msmpu401.sys
F7C59000: \SystemRoot\System32\DRIVERS\audstub.sys
F795E000: \SystemRoot\System32\DRIVERS\rasirda.sys
F7966000: \SystemRoot\System32\DRIVERS\TDI.SYS
F7686000: \SystemRoot\System32\DRIVERS\rasl2tp.sys
F7AC2000: \SystemRoot\System32\DRIVERS\ndistapi.sys
F6A3C000: \SystemRoot\System32\DRIVERS\ndiswan.sys
F7696000: \SystemRoot\System32\DRIVERS\raspppoe.sys
F76A6000: \SystemRoot\System32\DRIVERS\raspptp.sys
F6A2B000: \SystemRoot\System32\DRIVERS\psched.sys
F76B6000: \SystemRoot\System32\DRIVERS\msgpc.sys
F796E000: \SystemRoot\System32\DRIVERS\ptilink.sys
F7976000: \SystemRoot\System32\DRIVERS\raspti.sys
F76C6000: \SystemRoot\System32\DRIVERS\termdd.sys
F7B02000: \SystemRoot\System32\DRIVERS\swenum.sys
F6996000: \SystemRoot\System32\DRIVERS\update.sys
F7ACE000: \SystemRoot\System32\DRIVERS\mssmbios.sys
EE902000: \SystemRoot\system32\drivers\ialmkchw.sys
EE8E6000: \SystemRoot\system32\drivers\ialmsbw.sys
F76E6000: \SystemRoot\System32\Drivers\NDProxy.SYS
F7706000: \SystemRoot\System32\DRIVERS\usbhub.sys
F7B04000: \SystemRoot\System32\DRIVERS\USBD.SYS
F797E000: \SystemRoot\System32\DRIVERS\flpydisk.sys
F7B06000: \SystemRoot\System32\Drivers\Fs_Rec.SYS
F7CD7000: \SystemRoot\System32\Drivers\Null.SYS
F7B08000: \SystemRoot\System32\Drivers\Beep.SYS
F798E000: \SystemRoot\System32\drivers\vga.sys
F7B0A000: \SystemRoot\System32\Drivers\mnmdd.SYS
F7B0C000: \SystemRoot\System32\DRIVERS\RDPCDD.sys
F7996000: \SystemRoot\System32\Drivers\Msfs.SYS
F799E000: \SystemRoot\System32\Drivers\Npfs.SYS
F7A66000: \SystemRoot\System32\DRIVERS\rasacd.sys
EE863000: \SystemRoot\System32\DRIVERS\ipsec.sys
EE80B000: \SystemRoot\System32\DRIVERS\tcpip.sys
EE7E3000: \SystemRoot\System32\DRIVERS\netbt.sys
F7726000: \SystemRoot\system32\DRIVERS\epfwtdir.sys
EE7C1000: \SystemRoot\System32\drivers\afd.sys
F7736000: \SystemRoot\System32\DRIVERS\netbios.sys
EE796000: \SystemRoot\System32\DRIVERS\rdbss.sys
EE727000: \SystemRoot\System32\DRIVERS\mrxsmb.sys
F7756000: \SystemRoot\System32\Drivers\Fips.SYS
EE706000: \SystemRoot\System32\DRIVERS\ipnat.sys
F7766000: \SystemRoot\System32\DRIVERS\wanarp.sys
F7776000: \SystemRoot\system32\DRIVERS\easdrv.sys
F77C6000: \SystemRoot\System32\Drivers\Cdfs.SYS
EE6C6000: \SystemRoot\System32\Drivers\dump_atapi.sys
F7B14000: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
BF800000: \SystemRoot\System32\win32k.sys
EE8D2000: \SystemRoot\System32\drivers\Dxapi.sys
F79CE000: \SystemRoot\System32\watchdog.sys
BF9C3000: \SystemRoot\System32\drivers\dxg.sys
F7BBC000: \SystemRoot\System32\drivers\dxgthk.sys
BF9E2000: \SystemRoot\System32\ialmdnt5.dll
BF9D5000: \SystemRoot\System32\ialmrnt5.dll
BFA04000: \SystemRoot\System32\ialmdev5.DLL
BFA32000: \SystemRoot\System32\ialmdd5.DLL
BFFA0000: \SystemRoot\System32\ATMFD.DLL
EE4A8000: \SystemRoot\System32\DRIVERS\irda.sys
EE5BE000: \SystemRoot\System32\DRIVERS\ndisuio.sys
EE19B000: \SystemRoot\system32\drivers\wdmaud.sys
EE2F0000: \SystemRoot\system32\drivers\sysaudio.sys
EDF67000: \SystemRoot\System32\DRIVERS\mrxdav.sys
F7B62000: \SystemRoot\System32\Drivers\ParVdm.SYS
EDEF2000: \SystemRoot\system32\DRIVERS\eamon.sys
EDE78000: \SystemRoot\System32\DRIVERS\srv.sys
EDB8F000: \SystemRoot\System32\Drivers\HTTP.sys
ED843000: \SystemRoot\System32\Drivers\Fastfat.SYS
F78E6000: \SystemRoot\system32\DRIVERS\usbccgp.sys
F78FE000: \SystemRoot\system32\DRIVERS\HPZius12.sys
EE592000: \SystemRoot\system32\drivers\hpfxbulk.sys
F7906000: \SystemRoot\system32\drivers\HPFXGEN.SYS
EE1E0000: \SystemRoot\system32\DRIVERS\HPZid412.sys
EDA04000: \SystemRoot\system32\DRIVERS\Dot4Scan.sys
EDA18000: \SystemRoot\system32\DRIVERS\HPZipr12.sys
ED818000: \SystemRoot\system32\drivers\kmixer.sys
7C900000: \WINDOWS\system32\ntdll.dll
124 drivers detected.

C:\Documents and Settings\User>

What is strange, there is 4 running svchost.exe processes..


Posted by David H. Lipman on June 25, 2008, 5:43 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Win XP home, NOD32 3.0.650.0 antivirus. I got infected with Win32/Alman.NAB
| virus. My antivirus show some executable files where infected, aalso when
| browse web with Internet Explorer, windows periodically popup error mesages
| called RUNDLL:
| "Error loading C:\Windows\AppPatch\Jview.dll
| The specified module could not be found."
| (I use Firefox by default).

| After running whole computer scan, NOD32 isolated the infected files in a
| Quarantine folder. I removed the Jview.dll
| As far I know, Win32/Alman.NAD is infector, downloader and it has got his
| own driver. If it sit inside some legit process (IE), then it will add new
| registry key again. Then removing will be harder.
| Then I run HijackThis utility, and got the following report, I looked
| through the logfile, but I'm not sure which processess and keys are
| legitimate.

< snip >

| What is strange, there is 4 running svchost.exe processes..


First off do NOT post HJT logs to Usenet in general or the Microsoft hierarchy
in
partcular. If you had bothered to ask, you would have been told this and you
would have
been provided with a list of trusted expert forums where HJT logs are allowed
and
encoraged.

Secondly, it is NOT the number of running copies of SVCHOST.EXE that is
important. Having
4 ~ 8 running copies of SVCHOST.EXE can be considered normal. What is important
is the
fully qualified path. SVCHOST.EXE running from %windir%\system32 is legitimate.
SVCHOST.EXE running from a location such as; %windir% or C:\Program
Files\Common
Files\System are illegitimate locations and are most likely malware.



1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap:
In Notepad.exe; Format --> uncheck; "Word wrap"

3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post in one of
the below
expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's
System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Posted by SANTANDER on June 25, 2008, 6:25 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>
> | Win XP home, NOD32 3.0.650.0 antivirus. I got infected with
Win32/Alman.NAB
> | virus. My antivirus show some executable files where infected, aalso
when
> | browse web with Internet Explorer, windows periodically popup error
mesages
> | called RUNDLL:
> | "Error loading C:\Windows\AppPatch\Jview.dll
> | The specified module could not be found."
> | (I use Firefox by default).
>
> | After running whole computer scan, NOD32 isolated the infected files in
a
> | Quarantine folder. I removed the Jview.dll
> | As far I know, Win32/Alman.NAD is infector, downloader and it has got
his
> | own driver. If it sit inside some legit process (IE), then it will add
new
> | registry key again. Then removing will be harder.
> | Then I run HijackThis utility, and got the following report, I looked
> | through the logfile, but I'm not sure which processess and keys are
> | legitimate.
>
> < snip >
>
> | What is strange, there is 4 running svchost.exe processes..
>
>
> First off do NOT post HJT logs to Usenet in general or the Microsoft
hierarchy in
> partcular. If you had bothered to ask, you would have been told this and
you would have
> been provided with a list of trusted expert forums where HJT logs are
allowed and
> encoraged.
>
> Secondly, it is NOT the number of running copies of SVCHOST.EXE that is
important. Having
> 4 ~ 8 running copies of SVCHOST.EXE can be considered normal. What is
important is the
> fully qualified path. SVCHOST.EXE running from %windir%\system32 is
legitimate.
> SVCHOST.EXE running from a location such as; %windir% or C:\Program
Files\Common
> Files\System are illegitimate locations and are most likely malware.
>
>
>
> 1. Download and execute HiJack This! (HJT)
> http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
>
> 2. Disable Notepad's word wrap:
> In Notepad.exe; Format --> uncheck; "Word wrap"
>
> 3. Download/run Deckard's System Scanner:
> http://www.techsupportforum.com/sectools/Deckard/dss.exe
>
> 4. Save the scan results (Main.txt and Extra.txt)
>
> 5. And then post the contents of Main.txt and Extra.txt in your post in
one of the below
> expert forums...
>
>
> { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }
>
> Forums where you can get expert advice for HiJack This! (HJT) and
Deckard's System Scanner
> Logs.
>
> NOTE: Registration is REQUIRED in any of the below before posting a log
>
> Suggested primary:
> http://www.thespykiller.co.uk/index.php?board=3.0
>
> Suggested secondary:
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.malwarebytes.org/forums/index.php?showforum=7
>
> Suggested tertiary:
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
> http://www.atribune.org/forums/index.php?showforum=9
>
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://forum.networktechs.com/forumdisplay.php?f=130
> http://forums.maddoktor2.com/index.php?showforum=17
> http://www.spywarewarrior.com/viewforum.php?f=5
> http://forums.spywareinfo.com/index.php?showforum=18
> http://forums.techguy.org/f54-s.html
> http://forums.tomcoyote.org/index.php?showforum=27
> http://forums.subratam.org/index.php?showforum=7
> http://www.5starsupport.com/ipboard/index.php?showforum=18
> http://aumha.net/viewforum.php?f=30
> http://makephpbb.com/phpbb/viewforum.php?f=2
> http://forums.techguy.org/54-security/
> http://forums.security-central.us/forumdisplay.php?f=13
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
--------
Well, thanks for advices.

santander


Posted by SANTANDER on June 28, 2008, 7:31 am
If you were  Registered and logged in, you could reply and use other advanced thread options

>
> | Win XP home, NOD32 3.0.650.0 antivirus. I got infected with
Win32/Alman.NAB
> | virus. My antivirus show some executable files where infected, aalso
when
> | browse web with Internet Explorer, windows periodically popup error
mesages
> | called RUNDLL:
> | "Error loading C:\Windows\AppPatch\Jview.dll
> | The specified module could not be found."
> | (I use Firefox by default).
>
> | After running whole computer scan, NOD32 isolated the infected files in
a
> | Quarantine folder. I removed the Jview.dll
> | As far I know, Win32/Alman.NAD is infector, downloader and it has got
his
> | own driver. If it sit inside some legit process (IE), then it will add
new
> | registry key again. Then removing will be harder.
> | Then I run HijackThis utility, and got the following report, I looked
> | through the logfile, but I'm not sure which processess and keys are
> | legitimate.
>
> < snip >
>
> | What is strange, there is 4 running svchost.exe processes..
>
>
> First off do NOT post HJT logs to Usenet in general or the Microsoft
hierarchy in
> partcular. If you had bothered to ask, you would have been told this and
you would have
> been provided with a list of trusted expert forums where HJT logs are
allowed and
> encoraged.
>
> Secondly, it is NOT the number of running copies of SVCHOST.EXE that is
important. Having
> 4 ~ 8 running copies of SVCHOST.EXE can be considered normal. What is
important is the
> fully qualified path. SVCHOST.EXE running from %windir%\system32 is
legitimate.
> SVCHOST.EXE running from a location such as; %windir% or C:\Program
Files\Common
> Files\System are illegitimate locations and are most likely malware.
>
>
>
> 1. Download and execute HiJack This! (HJT)
> http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
>
> 2. Disable Notepad's word wrap:
> In Notepad.exe; Format --> uncheck; "Word wrap"
>
> 3. Download/run Deckard's System Scanner:
> http://www.techsupportforum.com/sectools/Deckard/dss.exe
>
> 4. Save the scan results (Main.txt and Extra.txt)
>
> 5. And then post the contents of Main.txt and Extra.txt in your post in
one of the below
> expert forums...
>
>
> { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }
>
> Forums where you can get expert advice for HiJack This! (HJT) and
Deckard's System Scanner
> Logs.
>
> NOTE: Registration is REQUIRED in any of the below before posting a log
>
> Suggested primary:
> http://www.thespykiller.co.uk/index.php?board=3.0
>
> Suggested secondary:
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.malwarebytes.org/forums/index.php?showforum=7
>
> Suggested tertiary:
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
> http://www.atribune.org/forums/index.php?showforum=9
>
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://forum.networktechs.com/forumdisplay.php?f=130
> http://forums.maddoktor2.com/index.php?showforum=17
> http://www.spywarewarrior.com/viewforum.php?f=5
> http://forums.spywareinfo.com/index.php?showforum=18
> http://forums.techguy.org/f54-s.html
> http://forums.tomcoyote.org/index.php?showforum=27
> http://forums.subratam.org/index.php?showforum=7
> http://www.5starsupport.com/ipboard/index.php?showforum=18
> http://aumha.net/viewforum.php?f=30
> http://makephpbb.com/phpbb/viewforum.php?f=2
> http://forums.techguy.org/54-security/
> http://forums.security-central.us/forumdisplay.php?f=13
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
-----

This forums are absolutely useless, same as most of mentioned tolls like
Deckard's System Scanner, etc, etc. This "tools" just litter registry
settings and are are ineffective and useless.
Windows has "malicious software removal tool" but itts also absolutely
useless thing, and not working at all..




Posted by David H. Lipman on June 28, 2008, 8:58 am
If you were  Registered and logged in, you could reply and use other advanced thread options


| This forums are absolutely useless, same as most of mentioned tolls like
| Deckard's System Scanner, etc, etc. This "tools" just litter registry
| settings and are are ineffective and useless.
| Windows has "malicious software removal tool" but itts also absolutely
| useless thing, and not working at all..

The tools are NOT useless. Somone with skills or training can interpret if you
are
infected via the system load points. You don't have those skills thus you came
to a faux
conclusion.

The forums are not useless as well. The forums have personnel who have the
skills to
interpret the logs of the tools. Again a faux conclusion.

The MRT is an "on Demand' anti malware scanner and is geared to a limited list
of malware.
While not the best of anti malware On Demand scanners, it does have a level of
efficacy
and capability and is far from useless. The fact that you don't have malware
targeted by
the MRT should not lead you to the faux conclusion "absolutely useless thing".

I'm sorry but you asked for assistance and I gave you assistance. It was bad
enough that
you posted a HJT log without asking first but the additional claims of
"uselessness" based
upon your limited skill sets means you are unwilling to take appropriate action.
This is
unfortunate.

Plaese tear down that brick wall you have created in your mind!

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Similar ThreadsPosted
Wierd Processes Running on Windows 2003 Servers July 16, 2006, 9:42 am

The site map in XML format XML site map

Contact Us | Privacy Policy